Spectre/Meltdown bug affecting Python ?

Grant Edwards grant.b.edwards at gmail.com
Sat Jan 6 17:47:25 EST 2018


On 2018-01-06, Ian Kelly <ian.g.kelly at gmail.com> wrote:
>
>> > Furthermore, I'd like to know if Python can mitigate hardware-specific
>> > timing attacks.
>>
>> For CPython, probably not.  Anything that Cpython tried to do could be
>> trivially defeated by using something like ctypes to make calls to
>> arbitrary machine code that was written to a file.
>>
>
> It sounds like you're talking about the case where the malicious code is
> hosted by Python. I agree that's probably not realistic to do anything
> about -- if you can run malicious code then you're probably not restricted
> to Python (and without knowing a lot about the attacks, I'm doubtful that
> it's possible to implement them in pure Python anyway).

Yes, that's what I was talking about.

> I think the OP was talking about protecting the data of Python programs
> from other malicious processes, however. The mitigation seems to be like it
> could reasonably be accomplished (at least for core Python -- extension
> code would be on its own).

Ah, yes.  Eventually it seems that just compiling CPython with a
compiler that uses something like Google's "retpoline" should help:

  https://support.google.com/faqs/answer/7625886

Though I think I understand what the retpoline _is_, I don't really
understand enough about the Spectre vulnerability say much else.

-- 
Grant Edwards               grant.b.edwards        Yow! I'm having an
                                  at               emotional outburst!!
                              gmail.com            




More information about the Python-list mailing list